Device security?

These often unbranded Chinese components are so much more available, but how secure are they?
At least the WiFi ones want your WiFi password, and then there are zigbee, Thread, Bluetooth…
And there are tuya, Xiaomi, Cozy Life… apps …and there is the gateway/border
What makers/standards can we be calm using? Anything to avoid?
Preferably I want the future proof ones, but matter/thread are still hard to find.
Thanks in advance!

Best to think about it from a holistic standpoint - not individual devices. In other words, know how to configure and manage your network and any device you put on it.

Some good guidelines here:

1 Like

Also, keep in mind that for wi-fi devices, yes, you give your SSID/Password.

But, that does not make other devices secure. For instance, you could add a device to your Zigbee network and it could phone home.

The good news is there are many folks that investigate these devices. I hate these words ;), but Google is your friend there.

Always check out devices to see what others have found. Search on model number, name, or any other info you have for a device.

Only if you use the manufacturers hub. If using Zigbee2MQTT or ZHA, no way they can phone home.


Zigbee and Z-Wave does not use a TCP based network protocol, so the can not “phone home”. Their hubs can though.
WiFi and Matter devices do use a TCP based network protocol, so they can in theory. Matter still often needs a hub though, because it is a link-local address space it uses.
The best solution is a good restrictive firewall with lots of logging enabled.

What worries me is not as much the communication security, but rather the quality of the hardware build in relation to fire and malfunction.
Many Chinese vendors list their product as CE branded, but the CE (Certified for European markets) mark is only related to the entity that first import a product into the European markets, which means you, if you order from something like AliExpress or similar.
In other words if an AliExpres catch fire in EU, then the insurance company can ask you to prove that the device was abiding by the EU rules and if you can’t then there is no insurance paid out.

1 Like

exactly. And also network segmentation and segregation for iot devices, nowadays it is something quite easy to achieve.
(i’m not monitoring my network logs, but when i add a new device to the IOT vlan i commonly give a look to tcpdump to see where is its home :slight_smile: )

As we all know the ‘s’ in IoT stands for security


Wasn’t this debunked long ago and even insurances said they give a sh*t as the CE sign isn’t even intended for customers…

Anything were you can install your own software on. That’s hardware which supports esphome for example:

The rest

Not debunked, but clarified.
The CE sign is not for customers, but for importers.
The problem is that a person buying from a place, like Aliexpress will be both a customer and an importer, but not a professional importer, so a bit of a grey area
What was made clear was that a CE sign on a product outside EU is worth nothing, because there are no requirements tied to it.

Not quite so easy!
Matter require IPv6 and HA really lack basic IPv6 support, so it can be hard to segment it properly.
In order for Matter and HA to work at the moment both Matter, HA, the matter device and the commissioning phone will ha e to be on the same network and HA and Matter will have to run with only a single NIC.

i’ve still not entered the matter world, but sad to know.

I have thought about suggesting a “Year of IPv6”, because HA is really becoming a bottleneck for implementing IPv6 in the home.

i’m not sure the rest of the world is much ahead on the topic… for example, i fear shelly devices are not ready at all to be ipv6 (and probably will never be, for old devices).
honestly, probabably 90% of other iot devices are not ipv6 ready :slight_smile:

Esp8266 has issues, but esp32 is pretty well supported.
Heman (I think that was the username) did an exceptionel job at getting ESPHome working.

Still some devices will have issues, but if a central component like HA does not support it, then it will be even harder to get device vendors to support it.

I just remeber that some one asked various insurance companies and none of them had the requirement of CE signs on any products to cover damages. If I remember allianz was one of them and they quite bluntly said they give sh’t and you rather should check for “real” quality signs like GS and what not (which actually forces a real test on the product unlike CE…)

So I expect it still to be bullshit and useless - or how could a customer spot the difference between a real or fake CE printed on a product?

Not quite, many people misunderstand this. Nothing get’s certified. CE is French and stands for conformité européenne and it’s nothing else than someone (usually the producer) says it is conform. It is absolutely no quality sign and doesn’t include any certification.

I don’t expect you can provide any link which could backup your story? For me it’s nothing else then FUD for now… it comes up every few years… Really strange

1 Like

GS is a better suited gn to go for yeah and the companies might say something like that now, but if they can prove that it was a particular device and they maybe have had a few more cases with that device vendor, then you bet they will grab the chance.
The CE sign is not a certificate as such. It is a liability sign. Someone inside EU have taken the liability for the product. That someone just happen to be the buyer, when ordering on Aliexpress.

So insurance companies are your friend as long as you pay but will turn into your enemy in case you got some damage they should cover. Fun fact: You payed the lawyers that now fight you!

Still not correct, sorry. In 2008 some Brits were asked what CE stands for

Church of England obviously!

But seriously… Maybe just give the Wikipedia article a go as it will clarify some things you got (wrong) a long the way. Probably just people like you trying to help but actually spreading information which isn’t correct (specially when simplified)

This is on the CE signature and list the one that place a product on the European markets as the liable entity.

It contains a link to the blue guide and paragraf 1.4 were liability is described.

No, a link were a insurance company didn’t cover a damage because of a missing/fake CE sign… But no worries, I don’t expect such a case exists…